Meta

Canadian banking password policies

I have gathered the password policies for most of the major Canadian banks. Here are the password policies:

Bank

Minimum length

Maximum length

Allows special characters

Notes

BMO

6

6

No

All passwords must be 6 digits in length! Your web password is also used as your phone banking password?!

TD Canada Trust

5

8

No

CIBC

6

12

No

No suggestions or tips, and no indications whatsoever about allowed characters; but trying to use special characters gives you an error.

PC Financial (CIBC managed)

6

12

Unknown

No suggestions or tips, and no indications whatsoever about allowed characters.

Scotiabank

8

16

No

Must use at least 1 number and one letter

RBC Royal Bank

8

32

Yes!

Encourages special characters, and has a two-step process for choosing a decent password

Here are the screen-shots of the various banking website’s security related pages:

The TD Canada Trust change password page, which was the weakest passwords of all the Canadian banks examined.

The Scotiabank password change page, which supported 16 character passwords but no special characters.

The Scotiabank access-code page, which is a special code required to add a new bill payment recipient and other functions.

RBC’s change password page, which allows special characters and had the longest allowed password of any bank examined.

Part 1 of the RBC Securing your Passwords page, which encourages special characters.

Part 2 of the RBC Securing your Passwords page. Unfortunately there is no mention of using any kind of password manager tool.

PC banking’s page (managed by CIBC) which allows only 12 character passwords.

The CIBC password policies: 6 – 12 characters with no special characters.

The BMO password change page; 6 characters only please!

Apparently nobody I know uses CIBC, but we were able to get PC Banking, which is managed by CIBC. Update 2013-04-12: I was able to get a hold of the CIBC password policies! It doesn’t say on the screen but special characters are not allowed, and trying to use them generates an error message. I also received the BMO password page, but it really deserves its own blog post…

RBC is the clear winner here in terms of password security, encouraging special characters and supporting 32 characters. TD’s maximum allowed password length is Scotiabank’s and RBC’s minimum password length, and BMO doesn’t even let you have a password that long; considering that neither TD nor BMO have support for special characters these two clearly have the least secure password policies of these banks.

Security questions

In addition to passwords, several of the banks support “security” questions, such as TD’s “What is your favourite chocolate bar”, while Scotiabank supports a 5 – 8 digit “Access code” that is required to perform certain operations.

This and other websites recommend that the answer to a good security question has all four of the following characteristics:

It must be safe, so that hackers cannot easily guess or research the answer to the question;

The answer must stable, and not change over time (so the favourite whatever category of questions are not very good);

Obviously the answer must be memorable so the user doesn’t forget it

The answer must be simple.

Finding questions with these kinds of answers is very difficult. From the website:
[quote style=”1″]Security questions create a potential hole or breach in security by providing ways for unauthorized users to gain access if the answer can be discovered.[/quote]

In today’s age of social media, discovering the answers to such questions is often far easier than you might think. People are posting unending streams of information about themselves on Twitter, Facebook, and Pinterest. If that doesn’t help a hacker, the under-web also makes it easy and cheap to purchase a person’s credit report:

[quote style=”1″]the hackers had considerable amounts of information about the victims, including social-security numbers and other personally identifying information.[/quote]

In 2009 this allowed a woman to sue her bank for lax security after she had $26,000 stolen from her account by a hacker, because the bank only used a password and security question!

So what’s the solution?

Two-factor authentication

Two-factor authentication provides a much stronger form of authentication. Two-factor authentication requires two of the following three:

Something the user knows – a password or security question / answer

Something the user has – such as a security key-fob or a cell-phone

Or something the user is, such as a finger-print

Both a password and the answer to a security question are something the user knows, and therefore this authentication pair are not actually two-factor authentication. Getting a user’s finger-print over the internet is obviously not going to happen any time soon.

What are other companies doing?

GMail, Yahoo and Outlook allow you to use your cell-phone as a second factor authentication device. For example, every time I log onto my Google account, Google sends a text message containing a secret code to my cell phone. I enter that code into the website and only then am I allowed to log in. If you don’t have a text-capable device Google even has an automated system that can call a traditional voice-only land-line and speak the code to you. This is just to protect your e-mail, Google Analytics or AdWords account!

WordPress

There are at least three plug-ins for WordPress that can give your WordPress small-business website or blog two-factor authentication:

Authy – Like Google, each time you need to log-in to your website Authy will send your phone a text message with a unique secret code. You must enter this code into the website before you can completely log-in. The secret code changes every 20 seconds, and each code can only be used once. Very nice. CloudFlare uses Authy to protect CloudFlare users as well.

Duo – Similar to Authy, after you login to your WordPress website Duo will require you to enter a secret code. Duo will send your phone a text-message containing 6 different codes, although you only enter one code each time you login. This means that one text message is good for six different log-ins, reducing the total number of text messages Duo has to send and you have pay to receive. (Unfortunately, there seems to be a bug in the plug-in, because shortly after I installed it, a number of core WordPress files got corrupted!)

Google Authenticator – Enables you to use Google’s two-factor authentication on your own website. I haven’t used this plug-in myself.

So it’s very easy to protect your WordPress small-business website or blog with two-factor authentication.

Amazon

Amazon web services can also be protected with two-factor authentication. They support any any TOTP compliant app on your computer, smart phone, or tablet. Like the other methods discussed above, TOTP is a secure and standardized way of generating unique one-time keys every 30 seconds. This allows you to use any device with a TOTP app to generate a unique secret code, and then type in the code to Amazon when logging in. Only your device and Amazon will know the code any given second. Alternatively you can buy a $13 key that will generate a unique code every 30 seconds and basically works the same way.

Conclusion

So we’ve seen that (with the exception of RBC) the Canadian banks have very poor password policies. Furthermore, all of the Canadian banks are all using one-factor authentication, which is not compliant with US regulations at least. We’ve seen that major e-mail providers and Amazon provide powerful two-factor authentication to protect your e-mail and your web services, and you can even protect your blog or small-business website with cheap two-factor authentication.

While there do not seem to be any Canadian banking regulations regarding online banking website security, I nevertheless wonder how willing Canadian courts would be at looking to other Canadian industries, and looking to the US banks for inspiration if somebody lost money due to a hack at a Canadian bank.

Personally, my online web bank account is linked to my small business account, my RRSPs, my kids RESPs, and my mortgage! That’s pretty much my entire life savings right there. I for one would happily pay say a $1/month service fee to be able to protect my bank account with two-factor authentication. And I would REALLY like to have a decent sized password with some special characters in it!!

It’s 2013. I think the Canadian banks need to step up their game and support 2013 style authentication mechanisms; 8 character maximum passwords just don’t cut it any more.